Обсуждение: pg_monitor role description
The following documentation comment has been logged on the website: Page: https://www.postgresql.org/docs/13/default-roles.html Description: "This role is a member of pg_read_all_settings, pg_read_all_stats and pg_stat_scan_tables." Is it correct sentence? It seems for me that pg_read_all_stats is a member of pg_monitor. But not vice versa.
On Thu, May 20, 2021 at 06:11:40AM +0000, PG Doc comments form wrote:
> "This role is a member of pg_read_all_settings, pg_read_all_stats and
> pg_stat_scan_tables."
> Is it correct sentence?
> It seems for me that pg_read_all_stats is a member of pg_monitor. But not
> vice versa.
Here is what I am getting:
=# \dgS pg_monitor
List of roles
Role name | Attributes | Member of
------------+--------------+--------------------------------------------------------------
pg_monitor | Cannot login | {pg_read_all_settings,pg_read_all_stats,pg_stat_scan_tables}
=# \dgS pg_read_all_data
List of roles
Role name | Attributes | Member of
------------------+--------------+-----------
pg_read_all_data | Cannot login | {}
So the docs look correct to me.
--
Michael
Вложения
On Thu, May 20, 2021 at 3:01 PM Michael Paquier <michael@paquier.xyz> wrote:
>
> On Thu, May 20, 2021 at 06:11:40AM +0000, PG Doc comments form wrote:
> > "This role is a member of pg_read_all_settings, pg_read_all_stats and
> > pg_stat_scan_tables."
> > Is it correct sentence?
> > It seems for me that pg_read_all_stats is a member of pg_monitor. But not
> > vice versa.
>
> Here is what I am getting:
> =# \dgS pg_monitor
> List of roles
> Role name | Attributes | Member of
> ------------+--------------+--------------------------------------------------------------
> pg_monitor | Cannot login | {pg_read_all_settings,pg_read_all_stats,pg_stat_scan_tables}
>
> =# \dgS pg_read_all_data
> List of roles
>
> Role name | Attributes | Member of
> ------------------+--------------+-----------
> pg_read_all_data | Cannot login | {}
>
> So the docs look correct to me.
Indeed. In other words pg_monitor is the sum of the authorizations
given by all those roles.
On 20.05.2021 11:54, Julien Rouhaud wrote:
On Thu, May 20, 2021 at 3:01 PM Michael Paquier <michael@paquier.xyz> wrote:On Thu, May 20, 2021 at 06:11:40AM +0000, PG Doc comments form wrote:"This role is a member of pg_read_all_settings, pg_read_all_stats and pg_stat_scan_tables." Is it correct sentence? It seems for me that pg_read_all_stats is a member of pg_monitor. But not vice versa.Here is what I am getting: =# \dgS pg_monitor List of roles Role name | Attributes | Member of ------------+--------------+-------------------------------------------------------------- pg_monitor | Cannot login | {pg_read_all_settings,pg_read_all_stats,pg_stat_scan_tables} =# \dgS pg_read_all_data List of roles Role name | Attributes | Member of ------------------+--------------+----------- pg_read_all_data | Cannot login | {} So the docs look correct to me.Indeed. In other words pg_monitor is the sum of the authorizations given by all those roles.
Let me try one more time. What is correct from the English language point of view: 1. Julien Rouhaud is a member of PostgreSQL Community. or 2. PostgreSQL Community is a member of Julien Rouhaud, Michael Paquier. Or both forms are correct? I think that 1 is correct. And column header in a \du output must be something like 'members' instead of 'member of'.
-- Pavel Luzanov Postgres Professional: https://postgrespro.com The Russian Postgres Company
Pavel Luzanov <p.luzanov@postgrespro.ru> writes:
> Let me try one more time.
> What is correct from the English language point of view:
> 1. Julien Rouhaud is a member of PostgreSQL Community.
> or
> 2. PostgreSQL Community is a member of Julien Rouhaud, Michael Paquier.
> Or both forms are correct?
> I think that 1 is correct.
You're right about that ...
> And column header in a \du output must be something like 'members' instead of 'member of'.
... but this does not follow, because it's a poor analogy. "Member of"
means "these role(s) have been GRANT'ed to pg_monitor".
As a more typical use-case, there might be a role "sysadmins" that holds
assorted privileges, and then certain individual users are granted that
role. Nobody would quibble with seeing
List of roles
Role name | Attributes | Member of
-----------+--------------+-------------
bob | | {sysadmins}
joe | | {sysadmins}
sysadmins | Cannot login | {}
and I think most would agree that titling the column "Members" would
be backwards.
regards, tom lane
On Thu, 2021-05-20 at 12:03 -0400, Tom Lane wrote:
> List of roles
> Role name | Attributes | Member of
> -----------+--------------+-------------
> bob | | {sysadmins}
> joe | | {sysadmins}
> sysadmins | Cannot login | {}
>
> and I think most would agree that titling the column "Members" would
> be backwards.
Right. you have to read that like:
Role name (bob) with attributes () is a member of (sysadmins).
Yours,
Laurenz Albe
Hello,
On 20.05.2021 19:03, Tom Lane wrote:
Pavel Luzanov <p.luzanov@postgrespro.ru> writes:Let me try one more time. What is correct from the English language point of view: 1. Julien Rouhaud is a member of PostgreSQL Community. or 2. PostgreSQL Community is a member of Julien Rouhaud, Michael Paquier. Or both forms are correct? I think that 1 is correct.You're right about that ...
So, is it correct to change description of pg_monitor role from:
"Read/execute various monitoring views and functions. This role is a member ofpg_read_all_settings,pg_read_all_statsandpg_stat_scan_tables."
to
"Read/execute various monitoring views and functions. The roles pg_read_all_settings, pg_read_all_stats and pg_stat_scan_tables are members of this role." I can prepare a simple patch.
And column header in a \du output must be something like 'members' instead of 'member of'.... but this does not follow, because it's a poor analogy. "Member of" means "these role(s) have been GRANT'ed to pg_monitor".
Yes, I understood this point and agree.
-- Pavel Luzanov Postgres Professional: https://postgrespro.com The Russian Postgres Company
Hello,
On 20.05.2021 20:27, Pavel Luzanov wrote:
So, is it correct to change description of pg_monitor role from:"Read/execute various monitoring views and functions. This role is a member ofpg_read_all_settings,pg_read_all_statsandpg_stat_scan_tables."to"Read/execute various monitoring views and functions. The roles pg_read_all_settings, pg_read_all_stats and pg_stat_scan_tables are members of this role." I can prepare a simple patch.
Just in case, patch attached.
-- Pavel Luzanov Postgres Professional: https://postgrespro.com The Russian Postgres Company
Вложения
Pavel Luzanov <p.luzanov@postgrespro.ru> writes:
> So, is it correct to change description of pg_monitor role from:
> "Read/execute various monitoring views and functions. This role is a member
of|pg_read_all_settings|,|pg_read_all_stats| and|pg_stat_scan_tables|."
> to
> "Read/execute various monitoring views and functions. The roles pg_read_all_settings, pg_read_all_stats and
pg_stat_scan_tablesare members of this role."
No, it is not. That wording implies that the built-in grants are like
GRANT pg_monitor TO pg_read_all_settings
and so on, where the truth is the opposite.
regards, tom lane
On 20.05.2021 21:10, Tom Lane wrote: > Pavel Luzanov <p.luzanov@postgrespro.ru> writes: >> So, is it correct to change description of pg_monitor role from: >> "Read/execute various monitoring views and functions. This role is a member of|pg_read_all_settings|,|pg_read_all_stats| and|pg_stat_scan_tables|." >> to >> "Read/execute various monitoring views and functions. The roles pg_read_all_settings, pg_read_all_stats and pg_stat_scan_tablesare members of this role." > No, it is not. That wording implies that the built-in grants are like > > GRANT pg_monitor TO pg_read_all_settings > > and so on, where the truth is the opposite. I'm totally confused. I'm taking timeout to think about it. -- Pavel Luzanov Postgres Professional: https://postgrespro.com The Russian Postgres Company
On 20.05.2021 21:25, Pavel Luzanov wrote:
I'm totally confused. I'm taking timeout to think about it.
I got it! It wasn't my day.)) This wording worked for me: The pg_monitor role is a member of the pg_read_all_settings role, which allows its privileges to be used. Therefore, pg_monitor can get the value of any configuration parameter. Thanks for clarifying.
-- Pavel Luzanov Postgres Professional: https://postgrespro.com The Russian Postgres Company